cmonroe/proxmox-caddy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
proxmox-caddy/Caddyfile
root cc9f3d8cee updated reverse proxies for tls
2026-01-02 16:12:30 -08:00

154 lines
2.9 KiB
Caddyfile
Raw Permalink Blame History

{
# 1. GLOBAL CONFIG
servers {
trusted_proxies static private_ranges
client_ip_headers CF-Connecting-IP X-Forwarded-For X-Real-IP
}
email charles.a.monroe@gmail.com
order coraza_waf first
storage redis {
address 192.168.0.120:6379
password {env.REDIS_PASSWORD}
db 2
key_prefix caddy
tls_enabled false
}
}
# --- SNIPPETS ---
(internal_tls) {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
}
(authelia) {
forward_auth 192.168.0.107:9091 {
uri /api/verify?rd=https://auth.poppyglen.cc/
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
}
(admin_redir) {
@admin {
path /admin*
not remote_ip private_ranges
}
redir @admin /
}
# Standard WAF (For most apps)
(waf) {
coraza_waf {
include /etc/caddy/coraza/coraza.conf
}
}
# Nextcloud WAF (Includes your specific exclusions)
(nextcloud_waf) {
coraza_waf {
include /etc/caddy/coraza/coraza.conf
include /etc/caddy/coraza/nextcloud-exclusions.conf
include /etc/caddy/coraza/nextcloud-waf.conf
}
}
auth.poppyglen.cc {
import internal_tls
reverse_proxy 192.168.0.107:9091 {
trusted_proxies 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 104.16.0.0/12 108.162.192.0/18 131.0.72.0/22 141.101.64.0/18 162.158.0.0/15 172.64.0.0/13 173.245.48.0/20 188.114.96.0/20 190.93.240.0/20 197.234.240.0/22 198.41.128.0/17 2400:cb00::/32 2405:8100::/32 2405:b500::/32 2606:4700::/32 2803:f800::/32 2a06:98c0::/29 2c0f:f248::/32
}
}
wireguard.poppyglen.cc {
import internal_tls
reverse_proxy 192.168.0.102:10086
}
nb.poppyglen.cc {
import internal_tls
reverse_proxy 192.168.0.111:8888
}
chat.poppyglen.cc {
import internal_tls
reverse_proxy 192.168.0.110:8080
}
search.poppyglen.cc {
import internal_tls
reverse_proxy 192.168.0.112:8888
}
ldap.poppyglen.cc {
import internal_tls
reverse_proxy 192.168.0.126:17170
}
gitea.poppyglen.cc {
import internal_tls
reverse_proxy 192.168.0.109:3000
}
dns.poppyglen.cc {
import internal_tls
reverse_proxy 192.168.0.101:5380
}
immich.poppyglen.cc {
route {
# 1. Authelia Check
# import authelia
# 2. WAF Check (Must be before proxy)
import waf
# 3. Proxy
reverse_proxy 192.168.0.105:2283 {
header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto https
}
}
}
jellyfin.poppyglen.cc {
route {
import authelia
# WAF Enabled
import waf
reverse_proxy 192.168.0.106:8096
}
}
vault.poppyglen.cc {
encode zstd gzip
header {
Strict-Transport-Security "max-age=31536000;"
X-XSS-Protection "1; mode=block"
X-Frame-Options "DENY"
X-Robots-Tag "noindex, nofollow, none"
X-Content-Type-Options "nosniff"
-Server
}
import admin_redir
# Optionally enable WAF for vaultwarden too:
# import waf
reverse_proxy 192.168.0.104:8000 {
header_up X-Real-IP {remote_host}
}
}
mail.poppyglen.cc {
respond "Mail Server SSL Endpoint"
}
Reference in New Issue View Git Blame Copy Permalink